Scalable authorization middleware for service oriented architectures

The correct deployment and enforcement of expressive attri- bute-based access control (ABAC) policies in large distributed systems is a significant challenge. The enforcement of such policies requires policy- dependent collaborations between many distributed entities. In existing authorization systems, such collaborations are static and must be con- figured and verified manually by administrators. This approach does not scale to large and more dynamic application infrastructures in which fre- quent changes to policies and applications occur. As such, configuration mistakes or application changes might suddenly make policies unenforce- able, which typically leads to severe service disruptions. We present a middleware for distributed authorization. The middleware provides a single administration point that enables the configuration and reconfiguration of application- and policy-dependent interactions be- tween policy enforcement points (PEPs), policy decision points (PDPs) and policy information points (PIPs). Using lifecycle and dependency management, the architecture guarantees that configurations are con- sistent with respect to deployed policies and applications, and that they remain consistent as reconfigurations occur. Extensive performance eval- uation shows that the runtime and configuration overhead of the mid- dleware scale with the size and complexity of the infrastructure and that reconfigurations cause minimal disruption to the involved applications.